SHIRO and Flex-RPC

[jcvidal <jc...@improve.fr>]

Hi

I'm using a Flex client using RPC and a web server with a Spring-like bean
(singleton).

Broadly speaking, when i call a method in Flex (says 'doit()'), the Flex
Servlet calls the doit() method in the bean.

So, when i authenticate, i do a SecurityUtils.getSubject(), then a
subject.login(). And the Subject is stocked in the ThreadContext.

BUT, when furthermore i want to do something else (get a role for example),
i call SecurityUtils.getSubject() and the subject cames from the
ThreadContext.

There is a problem : The Thread is not the same during the two calls, so at
the second time, the SecurityUtils.getSubject() returns a "empty" subject.

I'm using  a DefaultSecurityManager, and obviously no JSecurityFilter.

So is there a way to fix this trouble ?


Sincerely

Jean-Charles 
-- 
View this message in context: http://n2.nabble.com/SHIRO-and-Flex-RPC-tp3230066p3230066.html
Sent from the Shiro User mailing list archive at Nabble.com.

SHIRO and Flex-RPC (more)

[jcvidal <jc...@improve.fr>]

Hi

In fact, there is a reccurent trouble. Assume you login on thread23 and
logout in thread24. In ThreadContext of thread24, there is now nothing, but
in thread23 there is always something. And if you login again on thread23
(bad luck), you get an error message ("session invalidate").
So i have to test before the filter : if the session is null, i create it
then i clear the ThreadContext. It works.

Jean-Charles






-- 
View this message in context: http://n2.nabble.com/SHIRO-and-Flex-RPC-tp3230066p3262970.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: SHIRO and Flex-RPC

[jcvidal <jc...@improve.fr>]

Hi

In fact, there is a trouble : the filter create a "dummy" Subject (without
authencation and principals) and the HTTP datas are binding during the
SecurityUtils.getSubject(). So : let's say you login in thread24. After you
do other things (getting roles, for example), but in thread25. After the
SecurityUtils.getSubject(), you get a Subject, but a "dummy" one. So you
have to test the Subject.isAuthenticated() and if the result is false, you
have to unbind the Subject from the ThreadContext and retry.

I don't know why it's working in your case, but i suppose you're using
always the same thread (no flex concurrent accesses).


Jean-Charles





-- 
View this message in context: http://n2.nabble.com/SHIRO-and-Flex-RPC-tp3230066p3261968.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: SHIRO and Flex-RPC

[Les Hazlewood <lh...@apache.org>]

Hi Jean-Charles,

I'm using Flex RPC supported by Shiro right now in a very large Flex
enterprise product.  I'm kinda slammed today (and possibly tomorrow - doing
a production rollout), but I promise to write up how we've done this.

We're using the normal AMF-over-HTTP.  Since it is HTTP based, the
ShiroFilter intercepts all requests which allows session association based
on a cookie.  That is how the Subject is bound to the current thread in HTTP
environments by default.  This usually works just great for any security
checks you want to do during the request invocation.

Is your scenario that you say, asynchronously trigger off a message
somewhere else (e.g. JMS) and that processing must access the Subject's
identity?

- Les

On Thu, Jul 9, 2009 at 3:46 AM, jcvidal <jc...@improve.fr> wrote:

>
> Hi
>
> I'm using a Flex client using RPC and a web server with a Spring-like bean
> (singleton).
>
> Broadly speaking, when i call a method in Flex (says 'doit()'), the Flex
> Servlet calls the doit() method in the bean.
>
> So, when i authenticate, i do a SecurityUtils.getSubject(), then a
> subject.login(). And the Subject is stocked in the ThreadContext.
>
> BUT, when furthermore i want to do something else (get a role for example),
> i call SecurityUtils.getSubject() and the subject cames from the
> ThreadContext.
>
> There is a problem : The Thread is not the same during the two calls, so at
> the second time, the SecurityUtils.getSubject() returns a "empty" subject.
>
> I'm using  a DefaultSecurityManager, and obviously no JSecurityFilter.
>
> So is there a way to fix this trouble ?
>
>
> Sincerely
>
> Jean-Charles
> --
> View this message in context:
> http://n2.nabble.com/SHIRO-and-Flex-RPC-tp3230066p3230066.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>